Page 1 of 1

please help

Posted: Mon Jan 03, 2011 3:12 pm
by heleopless
there is a fact in mikrotik system tell that
"If the user has IP address specified, only one simultaneous login is allowed. If the same credentials are used again when the user is still active, the active one will be automatically logged off."


how can i change that
i mean that when the client is active and other one login he cant login or the system ask him for user name and password


this is to limit mac spoofing
if there is other ways to limit mac spoofing please help me
and thanks in advance

Re: please help

Posted: Tue Jan 04, 2011 3:05 pm
by sergejs
1) Control physical access to your network;
2) Use smart switch to protect your local network;
3) Use PPPoE, when higher security is necessary.

Re: please help

Posted: Wed Jan 05, 2011 3:07 am
by heleopless
1) Control physical access to your network;
2) Use smart switch to protect your local network;
3) Use PPPoE, when higher security is necessary.

ok thanks for paying attention
how can i control physical access to my network (please give some details) v3.3 mikrotik
how can i use smart switch to protect my local network ?
how will this help?


thanks in advance

Re: please help

Posted: Wed Jan 05, 2011 8:45 am
by sergejs
how can i control physical access to my network (please give some details) v3.3 mikrotik
the way how users are connected to your switches, that give them access to the network and ability to run Netcut.
how can i use smart switch to protect my local network ?
when network is wired, smart switch could control per port MAC-address access.

Re: please help

Posted: Wed Jan 05, 2011 12:05 pm
by heleopless
ok i see what the physical is


now i dont under stand smart switching and how can i carry out it in mikrotik please give some details

thanks

Re: please help

Posted: Wed Jan 05, 2011 12:25 pm
by heleopless
when network is wired, smart switch could control per port MAC-address access.
realy i may have reached it
are realy there wire switchs that control and specify mac address per port
what are the names of these switches(types)?

Re: please help

Posted: Wed Jan 05, 2011 1:14 pm
by sergejs
Router has nothing to do with it, unless clients are not attached directly to the MikroTik ports.
By the "switch" I mean the terminating devices, where end-clients are connected directly.

Posted: Wed Jan 05, 2011 3:44 pm
by heleopless
ok that is wonderful
i have to buy these switches it will be very very useful thanks alot
it will limit mac spoofing for some extent

does wireless access points can do the same?
by using wep or other coding methods?

does that help?

Re: please help

Posted: Wed Jan 05, 2011 7:00 pm
by heleopless
any ideas....??

Re: please help

Posted: Wed Jan 05, 2011 8:29 pm
by Feklar
You have to look at what the access point supports to determine that. What you are looking for in that case is often called Station Separation, or Layer2 Isolation, etc. etc. etc. Most manufactures are going to have their own name for the same thing. MikroTik calls it default forwarding on their wireless cards. One very important thing to keep in mind here with wireless is that this will not necessarily stop someone sniffing the wireless traffic. Since the traffic is being broadcast in clear text if there is no encryption going on between the client and the AP, anyone that is in range can listen in and on this traffic. All it is doing is preventing an end user from connecting to and talking to another computer over the network itself.

As for the switch, you are looking for a decent managed one. You are more specifically looking for one that supports port isolation, VLANs, layer 2 security features such as ARP and DHCP inspection. Port Isolation on a Cisco is run by "switchport protected", 3Com switches if they support it is "port isolate". The basic concept here is, any traffic coming in on this port cannot go out of any other port than the uplink port, i.e. the only port not in protected mode. We extensively use the 3Com 4500 series of switches for their price point and the features.

Re: please help

Posted: Wed Jan 05, 2011 8:45 pm
by heleopless
that is good


thanks alot

Re: please help

Posted: Thu Jan 06, 2011 9:28 am
by sergejs
I would recommend different approach for wireless networks.
Strong WPA/WPA2 preshared key should be secure enough solution, (different WPA key per each client).

Re:

Posted: Thu Jan 06, 2011 12:07 pm
by heleopless
thanks very much

i can see now that we cant prevent mac spoofing in the router but we can stop it or be limited in the layer 2
thanks very much :)

Re: please help

Posted: Thu Jan 06, 2011 12:10 pm
by sergejs
Yes, it is correct.
As router "sees" client with spoofed MAC/IP, in the same way how it would "see" good client with the same MAC/IP.
You have to prevent it with described approaches.

Re: please help

Posted: Thu Jan 06, 2011 1:14 pm
by heleopless
thanks